The Digest spec says that user names and passwords are TEXT. TEXT says that
it is any octet, except CTLs, except LWS is allowed. It also says the only
characters in it have to be ISO 8859-1 and or encoded according RFC 2047.
An issue which was raised to me is that user name and password have to be
typed by users. To quote the person (Chris Newman) who pointed this out to
me:
Here's a nasty one -- TEXT is defined as using either ISO 8859-1 or RFC
2047 encoding for internationalization in [HTTP/1.1 spec]. RFC 2047
encoding will
never work in this context since it has no reasonable canonical form.
Therefore, in order to comply with RFC 2277 you either need to make this
use UTF-8, or make it use US-ASCII only, claiming the "identifier"
exception (and we can make it UTF-8 later if we wish).
I.e., the mapping from what you type to the octets of the password have to
be the same everywhere, otherwise the password won't compute the correct MD5
hash values.
I don't pretend to understand the I18N issues. Are there problems if we say
that the password is UTF-8 encoded (and change the BNF)? How about user
name?
Paul